A History of Computer Law

In 1976, a Harvard dropout named Bill Gates wrote an angry letter to a club of computer hobbyists. They had been passing around copies of the BASIC programming language he and Paul Allen had written for the Altair microcomputer, and almost none of them had paid for it. "Who can afford to do professional work for nothing?" he demanded. "Is this fair?" It was, in retrospect, one of the founding documents of an entire field of law—because in 1976 nobody could say with confidence whether copying that software was even illegal. The law had no settled answer. Software was a new kind of thing in the world, and the legal system had not yet decided which of its dusty old boxes to put it in.

That is the recurring drama of computer law. Almost every milestone in this history is a moment when some genuinely novel object—a program, an encrypted message, a hyperlink, a comment section, a neural network—arrives at the courthouse door, and a judge or a legislator has to decide whether it is more like a book, a machine, a telephone call, a bulletin board, or something the law has never seen. The answers were rarely obvious, often wrong on the first try, and almost always fascinating. This article tells that story as a story: a roughly chronological tour of the milestones that built the body of law now governing the digital world, with each landmark explained in plain language so that a judge, a practicing lawyer, and a curious layperson can all follow along.

A quick definition before we begin, because "computer law" is not a single statute or a single court. It is an umbrella term for the legal rules that govern computers, software, networks, and data—drawn from copyright, patent, and trade-secret law; from criminal statutes about unauthorized access; from contract and commercial law; from constitutional free-speech and search-and-seizure doctrine; and from the fast-growing field of privacy regulation. What unites these strands is not a common source but a common problem: how to govern machines that do things the law's authors never imagined.

Prologue: The Patent That Was Almost the Whole Story

Before software, there was hardware, and the first great computer-law fight was about who invented the electronic digital computer itself. In Honeywell, Inc. v. Sperry Rand Corp., 180 U.S.P.Q. 673 (D. Minn. 1973), a federal judge in Minnesota spent years untangling the question, and in 1973 ruled that the patent on the ENIAC—long credited as the first general-purpose electronic computer—was invalid. The court found that the ENIAC's inventors, John Mauchly and J. Presper Eckert, had derived key ideas from an earlier machine built by John Atanasoff at Iowa State, and that the patent had also been forfeited by being in public use too long before filing. The practical effect was to push the foundational architecture of digital computing into the public domain, which is part of why no single company "owned" the computer.

That case is a useful starting point because it shows the law doing what it knew how to do. A computer in 1973 was a machine, and machines were the bread and butter of patent law since the Industrial Revolution. The hard problems were still coming. They would arrive the moment the valuable part of a computer stopped being the metal and started being the instructions.

Act I: Can You Copyright a Program? (The 1970s and 1980s)

By the 1970s, the economics had inverted. A mainframe was expensive, but the software that made it useful was becoming the thing people actually fought over—and software did not fit. It was not a literary work in any ordinary sense (nobody curls up with a payroll program), but it was written, in a language, by an author. It was not exactly a machine, but it made machines behave like machines. Was it copyrightable? Patentable? Neither? Both?

CONTU: A Commission Decides Software Is Writing

Congress, sensing it was about to be overtaken, created a study commission. The National Commission on New Technological Uses of Copyrighted Works—mercifully abbreviated CONTU—was established in 1974 and delivered its final report in 1978. CONTU's central recommendation was simple and consequential: computer programs should be protected by copyright, like other works of authorship. Congress agreed and, in the Computer Software Copyright Act of 1980, amended the Copyright Act of 1976 to add a statutory definition of a "computer program" (17 U.S.C. § 101) and a special provision, § 117, permitting the owner of a copy to make backups and the adaptations needed to run it.

This was a fateful choice. By routing software through copyright rather than inventing a brand-new "software right," Congress imported a whole apparatus: protection arises automatically at the moment of creation, lasts for a very long time (now generally the life of the author plus 70 years, or 95 years for corporate works), and protects expression but not ideas. For the deeper mechanics of how programs are registered and protected today, see our guides on copyright registration of computer programs and the legal protection of software through copyrights, patents, trade secrets, and contracts.

But CONTU left a gaping question. A program exists in two forms: source code, the human-readable instructions a programmer types ("if x then y"), and object code, the string of ones and zeros the machine actually executes. Source code looks like writing. Object code looks like a machine. Could you copyright the version humans cannot read?

Apple v. Franklin: Object Code Is Copyrightable

The answer came from a scrappy company that tried to clone the Apple II. Franklin Computer Corporation built the Franklin ACE, a machine designed to run Apple software—and to do that, Franklin copied Apple's operating system almost verbatim, ones and zeros included, baked into ROM chips. Apple sued. Franklin's defense was audacious and, for a moment, plausible: object code embedded in a chip, it argued, was not a "writing" at all but a functional part of a machine, and an operating system was a "process" or "method of operation" that copyright cannot reach.

In Apple Computer, Inc. v. Franklin Computer Corp., 714 F.2d 1240 (3d Cir. 1983), the Third Circuit rejected every piece of that argument. Object code is copyrightable, the court held, whether stored on paper or burned into silicon; a program is no less a work of authorship because a machine, rather than a person, reads it. And an operating system is as protectable as an application program—the fact that software performs a function does not strip it of copyright, so long as there was more than one way to write it. The decision, handed down in 1983, effectively settled that the entire commercial software industry would be built on a copyright foundation. Franklin lost, settled, and the clone died.

Apple v. Franklin is worth lingering on because it established a principle that still animates software disputes: copyright protects the particular expression of a program—the specific code a developer wrote—but not the underlying function or idea. That idea/expression line, traceable all the way back to Baker v. Selden, 101 U.S. 99 (1879), where the Supreme Court held that copyright in a book explaining a bookkeeping system did not give the author a monopoly on the system itself, would do enormous work in the decades to come. It is the reason competitors can lawfully write their own programs that do the same thing, so long as they do not copy your code.

Whelan, Altai, and the "Look and Feel" Wars

Having decided software was copyrightable, courts immediately ran into the hard part: how much of a program does copyright protect? Just the literal code, or also its structure, sequence, and organization—and even the way it looked and felt to the user?

The pendulum swung. In Whelan Associates v. Jaslow Dental Laboratory, 797 F.2d 1222 (3d Cir. 1986), the Third Circuit protected software very broadly, reaching its "structure, sequence and organization." This alarmed the industry, because read aggressively it could let the first mover lock up the only sensible way to design a program. Six years later the Second Circuit pulled hard in the other direction. In Computer Associates International, Inc. v. Altai, Inc., 982 F.2d 693 (2d Cir. 1992), the court devised the influential "abstraction-filtration-comparison" test: break the program into levels of abstraction, filter out the elements dictated by efficiency, by external constraints, or taken from the public domain, and then compare only what is left. The result was a more disciplined, narrower copyright that protected genuine creative expression while leaving functional design free for competition.

Meanwhile, the "look and feel" cases asked whether the visual experience of using a program—its menus, its desktop metaphor—could be owned. Lotus Development Corp. v. Borland International, 49 F.3d 807 (1st Cir. 1995), held that the Lotus 1-2-3 menu command hierarchy was an uncopyrightable "method of operation" under § 102(b); a tied Supreme Court affirmed without opinion in 1996. And in the long-running Apple Computer, Inc. v. Microsoft Corp., 35 F.3d 1435 (9th Cir. 1994), the Ninth Circuit rejected Apple's claim that Windows had infringed the "look and feel" of the Macintosh graphical interface, holding that most of the disputed elements were unprotectable ideas or were licensed. These cases drew the boundary that still governs: copyright guards the code and the genuinely creative graphics, but not the functional interface conventions everyone needs to compete.

The argument never fully ended. It resurfaced, decades later and at the highest level, in Google LLC v. Oracle America, Inc., 593 U.S. 1 (2021), where the Supreme Court considered whether Google's reuse of roughly 11,500 lines of Java API declaring code infringed Oracle's copyright. The Court ducked the copyrightability question and instead held that Google's reuse was fair use, emphasizing that the copied material was functional "interface" code and that letting Oracle lock it up would harm the public. The through-line from Apple v. Franklin to Google v. Oracle—how to protect creative software without monopolizing the functional plumbing every developer relies on—is one of the great continuities of computer law.

Act II: The Long War Over Software Patents

If copyright was the software industry's foundation, patents were its battlefield. Copyright is comparatively cheap and automatic, but it only stops literal copying; a clever competitor can write original code that does the same valuable thing. A patent is the stronger weapon—it can stop anyone from practicing the underlying invention, even if they wrote every line themselves. The question that consumed forty years of litigation was deceptively simple: can you patent software at all?

Benson: A Cold Start

The Supreme Court's first instinct was no. In Gottschalk v. Benson, 409 U.S. 63 (1972), the Court rejected a patent on an algorithm for converting binary-coded decimal numerals into pure binary. Patents cannot be granted on "abstract ideas," "laws of nature," or "mathematical formulas," the Court said, and an algorithm was essentially mathematics. To patent this algorithm would be to patent the idea itself. Benson cast a long shadow; for years, the conventional wisdom was that software, being math, was unpatentable.

Diamond v. Diehr: A Door Cracks Open

Then came the case that changed everything by changing very little. In Diamond v. Diehr, 450 U.S. 175 (1981), the inventors had a process for curing synthetic rubber that used a well-known mathematical equation (the Arrhenius equation) and a computer to constantly recalculate the right moment to open the mold. The Patent Office rejected it as an attempt to patent a formula. The Supreme Court, by a 5–4 vote, reversed. The claim, the Court held, was not for the equation in the abstract but for a complete, physical process of curing rubber that happened to use a computer and a formula along the way. You cannot patent a mathematical formula, but you can patent an industrial process that incorporates one.

Diehr was decided the same Term that the Court, in Diamond v. Chakrabarty, 447 U.S. 303 (1980), held that a live, genetically engineered bacterium was patentable subject matter—famously declaring that Congress intended patent-eligible subject matter to "include anything under the sun that is made by man." Together, the two Diamond cases signaled a more permissive era. The door to software patents was now ajar.

State Street: The Floodgates Open

The door blew wide open in 1998. In State Street Bank & Trust Co. v. Signature Financial Group, Inc., 149 F.3d 1368 (Fed. Cir. 1998), the Federal Circuit upheld a patent on a computerized method of pooling mutual fund assets—a business method—and announced that anything producing a "useful, concrete and tangible result" was patentable. The decision detonated. Suddenly you could patent ways of doing business: one-click ordering, reverse auctions, financial hedging strategies, methods of running a website. The number of business-method and software patents soared, and so did litigation. A cottage industry of "patent assertion entities"—companies that owned patents but made nothing, pejoratively called "patent trolls"—grew up to monetize the flood.

Bilski and Alice: The Tide Goes Back Out

The backlash took a decade to crest, and it crested at the Supreme Court. First, in Bilski v. Kappos, 561 U.S. 593 (2010), the Court rejected a patent on a method of hedging risk in commodities trading, holding it an unpatentable abstract idea—and rejected the Federal Circuit's rigid "machine-or-transformation" test as the sole test of eligibility, while declining to categorically bar all business methods.

Then came the decision that defines the modern landscape. In Alice Corp. v. CLS Bank International, 573 U.S. 208 (2014), the Court confronted a patent on using a computer as an intermediary to settle financial transactions and reduce "settlement risk." Drawing on its earlier decision in Mayo Collaborative Services v. Prometheus Laboratories, Inc., 566 U.S. 66 (2012), the Court announced what is now called the Alice/Mayo two-step. Step one: is the claim directed to a patent-ineligible concept—an abstract idea, law of nature, or natural phenomenon? Step two: if so, does the claim add an "inventive concept"—something significantly more than the ineligible idea itself? Simply saying "do it on a computer," the Court held, is not enough. Alice invalidated the patent and, in the years that followed, hundreds of software and business-method patents fell to § 101 challenges, often at the very start of a case.

Alice did not kill software patents—genuine technological improvements to how computers work remain patentable—but it transformed how they must be drafted and defended. Practitioners now frame inventions as concrete technical improvements (faster databases, better network security, reduced memory use) rather than as abstract ideas implemented on a generic computer. Cases like Enfish, LLC v. Microsoft Corp., 822 F.3d 1327 (Fed. Cir. 2016), and McRO, Inc. v. Bandai Namco Games America Inc., 837 F.3d 1299 (Fed. Cir. 2016), carved out room for software claims that improve the functioning of the computer itself, and Berkheimer v. HP Inc., 881 F.3d 1360 (Fed. Cir. 2018), made clear that step two can turn on disputed facts. The strategic playbook that emerged is the subject of our detailed guide to patent eligibility after Alice. Congress has repeatedly considered reform—most recently the Patent Eligibility Restoration Act—but as of 2026, Alice remains the law, and the two-step still governs every software-patent application and lawsuit.

Act III: The Computer as Crime Scene—The CFAA

While the IP lawyers fought over who could own software, a parallel question arose: what counts as a crime against a computer? In the early 1980s the country watched, half-amused and half-alarmed, as teenagers dialed into systems they had no business reaching. The 1983 film WarGames, in which a high-schooler accidentally taps into a military computer and nearly starts a nuclear war, reportedly rattled members of Congress. Existing theft and trespass laws were a poor fit—nothing was physically taken, no door was physically broken—and so Congress wrote a new one.

A Statute Built for Hackers, Stretched to Fit Everything

The Computer Fraud and Abuse Act of 1986, codified at 18 U.S.C. § 1030, made it a federal crime to "access a computer without authorization" or to "exceed authorized access." It was aimed at outside intruders breaking into government and financial systems. But the statute's language was elastic, and over the next thirty years prosecutors and civil plaintiffs stretched it to cover conduct its authors never contemplated: employees who violated company computer-use policies, users who breached a website's terms of service, researchers who scraped public data, even a woman who created a fake MySpace profile. The CFAA became, in critics' words, "the worst law in technology"—not because hacking shouldn't be illegal, but because almost anyone who ever lied about their age online could arguably be a federal criminal.

The danger of that breadth became tragically concrete in the case of Aaron Swartz, the programmer and activist who downloaded millions of academic articles from the JSTOR database through MIT's network. Facing CFAA charges that could have meant decades in prison, Swartz died by suicide in 2013. His death galvanized a reform movement and put a spotlight on the central interpretive question dividing the courts: what does it mean to "exceed authorized access"? Did it mean breaking into a system you weren't allowed to enter at all, or did it also mean using a system you were allowed to enter for a purpose the owner forbade?

Van Buren: The Supreme Court Narrows the Net

The Supreme Court finally answered in 2021. Nathan Van Buren was a Georgia police sergeant who used his lawful access to a law-enforcement license-plate database to look up a plate in exchange for money—a clear abuse of his position, but he was authorized to use the database. He was convicted under the CFAA's "exceeds authorized access" clause. In Van Buren v. United States, 593 U.S. 374 (2021), the Court reversed, 6–3, adopting the narrow reading. A person "exceeds authorized access," the Court held, only when they access areas of a computer—files, folders, databases—that are off-limits to them, not when they access areas they are allowed to reach but do so for an improper purpose. Justice Barrett warned that the government's broad reading would "criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook."

Van Buren was a watershed. It rejected the idea that violating a website's terms of service or an employer's use policy is, by itself, a federal crime. That narrowing reverberated immediately into the world of data scraping, where companies had long invoked the CFAA to stop competitors from harvesting publicly visible data. The Ninth Circuit's saga in hiQ Labs, Inc. v. LinkedIn Corp.—which held that scraping data that is publicly available, without any authentication barrier, generally does not "access without authorization" under the CFAA—now reads as a companion to Van Buren. The contract-and-copyright dimensions of that fight are explored in our analysis of data scraping after hiQ v. LinkedIn. The CFAA still has real teeth against genuine intrusions, but it is no longer a catch-all for every broken promise about how a computer may be used.

Act IV: The Internet Arrives and the Law Improvises (The 1990s)

Everything so far happened to relatively isolated machines. Then they all connected. The commercialization of the internet in the early-to-mid 1990s did not just create new disputes; it forced the law to answer a structural question it had never faced at scale: when millions of strangers can publish to the world through a handful of private platforms, who is responsible for what they say?

The Twenty-Six Words: Section 230

The trigger was a pair of contradictory defamation rulings. In Cubby, Inc. v. CompuServe Inc., 776 F. Supp. 135 (S.D.N.Y. 1991), a court held that an online service that did not moderate user content was a mere "distributor," not liable for users' defamatory posts. But in Stratton Oakmont, Inc. v. Prodigy Services Co., 1995 WL 323710 (N.Y. Sup. Ct. 1995), a court held that because Prodigy did moderate—it tried to keep its boards family-friendly—it was a "publisher," fully liable for everything users posted. The perverse lesson was that any platform foolish enough to clean up its content became legally responsible for all of it, while the platforms that did nothing were safe. That was exactly backwards if the goal was a usable internet.

Congress fixed it in the Communications Decency Act of 1996. While most of that Act—an attempt to ban "indecent" material from the internet—was struck down on First Amendment grounds the very next year in Reno v. American Civil Liberties Union, 521 U.S. 844 (1997), one provision survived and became, in the words of one influential book, "the twenty-six words that created the internet." Section 230, codified at 47 U.S.C. § 230, provides that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." In plain English: an online platform generally is not legally responsible for what its users post, and—just as importantly—it does not lose that protection by choosing to moderate, remove, or filter content.

Section 230 is arguably the single most consequential statute in internet law. Without it, no comment section, social network, review site, or marketplace could function as we know it; the litigation risk of hosting other people's speech would be unbearable. With it, the modern user-generated internet became possible. Courts read it broadly in cases like Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997). But the statute has limits: it does not immunize platforms from federal criminal law or from intellectual-property claims—§ 230(e)(2) expressly carves out "any law pertaining to intellectual property." That carve-out is why a separate regime had to be built for copyright (the DMCA, below) and why trademark and other IP claims against platforms follow different rules, a topic we develop in Section 230 reform and platform liability for user-generated IP infringement. The statute has been under sustained political fire from both left and right for years, and the Supreme Court circled it in Gonzalez v. Google LLC, 598 U.S. 617 (2023), and Moody v. NetChoice, LLC, 603 U.S. 707 (2024), but as of 2026 the twenty-six words still stand.

The DMCA: A Bargain for the Digital Age

The same anxious mid-1990s produced the copyright owner's answer to the internet. As perfect digital copies became trivial to make and distribute, content industries demanded new protections, and the result was the Digital Millennium Copyright Act of 1998. The DMCA was a grand bargain with two main halves.

The first half, the "safe harbor" provisions now in 17 U.S.C. § 512, solved a problem parallel to the one Section 230 solved for defamation: if a website could be sued for copyright infringement every time a user uploaded a pirated song, no host could survive. Section 512 protects qualifying online service providers from monetary liability for user infringement—if they follow the rules: register a designated agent, adopt and implement a repeat-infringer policy, lack actual or "red flag" knowledge of specific infringement, and expeditiously remove material upon a proper "notice and takedown." This is the system that produced the now-ubiquitous DMCA takedown notice and the counter-notification that lets an accused user push back. We walk through the safe harbors in detail in DMCA safe harbors for online service providers and the mechanics in how to file a DMCA takedown notice and respond to one.

The second half, the "anti-circumvention" provisions in 17 U.S.C. § 1201, was far more controversial. It made it illegal to circumvent technological measures—digital locks, or DRM—that control access to copyrighted works, and to traffic in tools designed to do so. The premise was that locks deserve their own legal protection. The objection, voiced ever since, is that § 1201 can criminalize legitimate activity: security research, accessibility tools, repairing your own tractor, refilling a printer cartridge, or unlocking a phone you own. Congress built in a safety valve: every three years the Copyright Office may grant temporary exemptions, which is how, for example, consumers won (and repeatedly re-won) the right to unlock their phones—a saga we tell in unlocking cell phones and the DMCA exemption. The § 1201 debate runs straight into the modern right-to-repair movement, which is in large part a fight over whether the law should let manufacturers use copyright locks to control what owners do with their own devices.

A § 512(f) misrepresentation claim—against those who send bad-faith takedowns—got its leading interpretation in Lenz v. Universal Music Corp., 815 F.3d 1145 (9th Cir. 2016), the "dancing baby" case, which held that a copyright owner must consider fair use before sending a takedown notice. It is a small but telling reminder that the DMCA's powers run in both directions.

The Crypto Wars: Is Code Speech?

Quietly, alongside the headline fights over copyright and platforms, one of the most philosophically interesting battles of the 1990s was being waged over mathematics. The government had long treated strong encryption as a munition—a weapon subject to export controls under the same regime that governs missiles and tanks. As personal computers made strong cryptography available to ordinary citizens, the government tried to keep it bottled up: it pushed the "Clipper Chip," an encryption standard with a built-in government back door, and it threatened criminal prosecution of anyone who exported cryptographic software.

The "Crypto Wars" turned on a startling question: is computer source code speech protected by the First Amendment? A mathematician named Daniel Bernstein wanted to publish an encryption algorithm he had written, and the government's export rules effectively forbade him from posting his own code online. He sued. In Bernstein v. United States Department of Justice, 176 F.3d 1132 (9th Cir. 1999), a Ninth Circuit panel held that source code is a form of expression protected by the First Amendment, and that the export controls operated as an unconstitutional prior restraint on his speech. (The opinion was later withdrawn for rehearing en banc as the government relaxed its rules, but its reasoning was hugely influential.) The Crypto Wars largely ended in the late 1990s when the government substantially liberalized encryption export rules—a tacit acknowledgment that you cannot, in a connected world, keep math secret. Echoes persist whenever governments demand "lawful access" back doors, but the principle that strong encryption is a normal, legal tool dates from this era.

Act V: Making Commerce Legal—E-SIGN and UETA

A more mundane but enormously important milestone arrived as the dot-com boom peaked. People wanted to buy and sell online, sign contracts online, and form binding agreements with a click—but a nagging doubt lingered. Centuries of law assumed contracts were on paper, signed in ink. Was an electronic record a "writing"? Was a typed name, or a clicked "I Agree" button, a "signature"?

Two complementary laws settled it. The Uniform Electronic Transactions Act (UETA), a model law promulgated in 1999 and since adopted by nearly every state, and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN) of 2000, 15 U.S.C. § 7001, together established a simple, powerful principle: a record or signature may not be denied legal effect solely because it is in electronic form. An email can be a contract. A clicked button can be a signature. A PDF in your files can satisfy a statute of frauds. This unglamorous legal plumbing is what makes the entire economy of online agreements, e-commerce, and digital signing platforms possible.

The courts then spent the next two decades working out which online agreements actually bind. The lesson of cases like ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996), Specht v. Netscape Communications Corp., 306 F.3d 17 (2d Cir. 2002), and Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 (9th Cir. 2014), is that enforceability turns on notice and assent: a "clickwrap" agreement that requires the user to affirmatively click "I Agree" after a clear presentation of terms is usually enforceable, while a "browsewrap" that buries terms in a footer link the user never sees often is not. Those principles govern the terms of service behind every app and website today, and they inform our overviews of software licensing agreements and software transactions.

Act VI: The Open-Source Revolution

While corporations litigated over proprietary software, a counter-movement was quietly rewriting the rules of the game. The idea was almost paradoxical: use copyright not to restrict sharing but to guarantee it. In 1989, Richard Stallman and the Free Software Foundation released the GNU General Public License (GPL), the most influential of the "copyleft" licenses. The GPL grants everyone the freedom to use, study, modify, and share the software—on the condition that anyone who distributes a modified version must release their changes under the same terms. Copyright law, the usual instrument of exclusion, was turned into an engine of openness. The infrastructure of the modern internet—the Linux kernel, Apache, countless libraries—runs on this model. (The standardization story that made portable, interoperable software possible is its own fascinating chapter, told in our piece on POSIX and POSIX standards.)

For years a skeptic's question hung over the whole enterprise: are these licenses actually enforceable? If someone violates the GPL, is that a mere breach of contract (with limited remedies) or copyright infringement (with injunctions and statutory damages)? The Federal Circuit answered decisively in Jacobsen v. Katzer, 535 F.3d 1373 (Fed. Cir. 2008). An open-source license, the court held, sets conditions on a copyright grant, not mere contractual covenants; violate the conditions and you are infringing the copyright, with all the powerful remedies that implies. Jacobsen gave open-source licenses real legal force and reassured a generation of companies that the licenses they relied on would hold up.

Open source is no longer a fringe ideology; it is the substrate of nearly all commercial software, which is precisely why managing it has become a core compliance discipline. The risks—copyleft "viral" obligations that can require disclosing proprietary code, license incompatibilities, and the duty to track every component in a software bill of materials—are why companies run formal open-source programs. We cover the landscape in open source software: licenses, compliance, and risk and the practical traps in open-source licensing landmines in enterprise software development. The latest chapters in this story are the "source-available" license shifts (companies adopting the SSPL or Business Source License to fend off cloud competitors) and the tangled question of how open-source norms apply to AI models trained on open-source code.

Act VII: The Birth of Data-Privacy Law

For most of computing history, the United States had no general privacy law—only a patchwork of sector-specific rules and a constitutional doctrine, built around the Fourth Amendment, that mostly constrained the government rather than private companies. As databases grew and the web turned every click into a data point, that patchwork began, slowly, to fill in.

The sectoral statutes came first. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 set privacy and security standards for health information—rules now central to cloud computing, as we explain in HIPAA business associates and cloud computing. The Children's Online Privacy Protection Act (COPPA) of 1998 required parental consent before websites collect data from children under 13. The Gramm-Leach-Bliley Act addressed financial data. And the Federal Trade Commission, using its authority under Section 5 of the FTC Act to police "unfair or deceptive" practices, gradually became the nation's de facto privacy regulator—bringing enforcement actions against companies that broke their own privacy promises or failed to secure data.

Then the center of gravity shifted overseas and then to California. The European Union's General Data Protection Regulation (GDPR), which took effect in 2018, established a comprehensive, rights-based privacy framework with extraterritorial reach and fines large enough to command global attention—data minimization, purpose limitation, a right to erasure, breach notification, and strict rules on transferring data out of Europe. GDPR reset worldwide expectations. The cross-border transfer piece alone spawned years of litigation, culminating in the Schrems II decision that invalidated one transfer mechanism and complicated the rest; we cover the aftermath in international data transfers after Schrems II.

In the United States, comprehensive privacy law arrived not from Congress but from the states. The California Consumer Privacy Act of 2018, strengthened by the California Privacy Rights Act, gave consumers rights to know, delete, and opt out of the sale of their personal information—and, by 2026, roughly twenty states have followed with their own comprehensive privacy statutes, producing a complex compliance patchwork. Two themes from this batch capture where the field is heading: the principle of collecting and keeping only what you need, in data minimization and avoiding the over-retention of personal information, and the operational work of pulling it all together in developing a privacy compliance program. A distinct front has opened around biometrics—fingerprints, faceprints, voiceprints—where statutes like Illinois's Biometric Information Privacy Act have generated landmark litigation, as discussed in biometric data privacy laws and their impact on AI development.

Act VIII: The Present—Artificial Intelligence and the Next Round of Old Questions

Which brings us to now, and to a striking realization: the AI revolution is not posing brand-new legal questions so much as re-asking the oldest ones in this history, at higher stakes.

Can a machine be an author or an inventor? Copyright and patent law have answered, so far, no. The U.S. Copyright Office has maintained that copyright requires human authorship, refusing to register works generated autonomously by AI—a position upheld in litigation over an AI-generated image, and echoed in the patent context where the Federal Circuit held in Thaler v. Vidal, 43 F.4th 1207 (Fed. Cir. 2022), that an "inventor" under the Patent Act must be a natural person. The deeper questions about machine creativity are taken up in AI-generated inventions: who owns what the machine creates.

Is training an AI on copyrighted works infringement, or fair use? This is Apple v. Franklin and Google v. Oracle all over again—a fight over how much of someone else's protected expression you may use to build something new. A wave of lawsuits by authors, artists, and news organizations is testing it, as we track in copyright infringement claims against generative AI.

Who is liable when an AI causes harm, and how do privacy and platform rules apply to systems that generate content? These are the liability and Section 230 questions of the 1990s, transposed to a world where the "speaker" may be an algorithm. And the right-of-publicity fights over deepfakes and AI voice clones—addressed in the right of publicity meets digital doubles—are the latest skirmish in the perennial war between new technology and old identity. For a broad map of the field as it stands in 2026, see our overview of artificial intelligence: key legal issues.

The pattern holds. A genuinely new machine arrives, and the law reaches first for its existing boxes—copyright, contract, tort, the First Amendment—and only reluctantly, and partially, builds new ones. The arguments we are having about AI in 2026 would be recognizable to the lawyers who argued Apple v. Franklin in 1983. They are the same argument: how do we fit the future into the rules we already have?

Key Takeaways

The history of computer law is best understood not as a steady accumulation of statutes but as a series of confrontations between novel technology and existing legal categories. A few threads run through the whole story.

First, the idea/expression distinction—software copyright protects the particular code you wrote, not the function it performs—has shaped the industry since Apple v. Franklin, and it is now central to the AI-training fight. Second, the law repeatedly oscillates: it expands a doctrine (broad software patents after State Street, broad CFAA liability), overshoots, and then contracts (Alice, Van Buren). Third, the great enabling statutes of the internet—Section 230 and the DMCA safe harbors—work by limiting liability so that platforms can exist at all, a design choice now under intense political pressure. Fourth, privacy law in the United States grew from the bottom up and the outside in, driven by sectoral rules, the FTC, the EU's GDPR, and the states rather than by a single comprehensive federal act. And fifth, nearly every "unprecedented" question raised by today's technology is a variation on a question the law has confronted before.

For the practitioner, the lesson is humility about prediction and rigor about fundamentals: master the underlying doctrines of copyright, patent, contract, and constitutional law, because the next disruptive technology will be governed, at first, by exactly those tools.

Frequently Asked Questions

What is "computer law," exactly? It is an umbrella term, not a single statute or court. Computer law gathers the legal rules governing computers, software, networks, and data—pulling from copyright, patent, and trade-secret law; criminal statutes like the Computer Fraud and Abuse Act; contract and commercial law; constitutional free-speech and search-and-seizure doctrine; and the growing field of privacy regulation. What unites these strands is a shared challenge: applying rules written for an earlier world to genuinely new machines.

Is software protected by copyright, patent, or both? Potentially both, and often trade secret too. Copyright protects the particular code a developer wrote (it arises automatically and is comparatively cheap) but only stops copying. A patent can protect the underlying invention against anyone who practices it—even an independent developer—but after Alice Corp. v. CLS Bank (2014), software is patentable only if it reflects a genuine technical improvement, not merely an abstract idea run on a generic computer. Many companies layer all of these protections; see our guide on the legal protection of software.

Why is Section 230 so important and so controversial? Section 230 (47 U.S.C. § 230) provides that online platforms generally cannot be treated as the publisher of content their users post, and that they keep that protection even when they moderate. It made the user-generated internet—comment sections, social media, marketplaces, review sites—legally feasible. It is controversial because critics across the political spectrum argue it lets platforms escape accountability for harmful content, while defenders warn that repealing it would either flood the internet with lawsuits or push platforms to over-censor. Note that it does not cover intellectual-property claims, which is why the separate DMCA safe harbor regime exists.

What did Van Buren change about the Computer Fraud and Abuse Act? Before 2021, prosecutors and companies used the CFAA aggressively, arguing that merely violating a website's terms of service or an employer's computer-use policy could be a federal crime. In Van Buren v. United States (2021), the Supreme Court rejected that broad reading: you "exceed authorized access" only when you reach files or areas of a computer that are off-limits to you, not when you misuse access you legitimately have. The decision sharply narrowed the statute's reach, with major implications for data scraping and employee-disloyalty cases.

Are AI-generated works protectable, and is AI training legal? As of 2026, U.S. copyright requires human authorship, so the Copyright Office will not register a work generated autonomously by AI, and the Federal Circuit has held that a patent "inventor" must be a human (Thaler v. Vidal, 2022). Whether training an AI on copyrighted material is lawful fair use is being litigated right now in a wave of cases by authors, artists, and publishers; there is no settled answer. We track these fast-moving questions in AI-generated inventions and copyright claims against generative AI.

Why does so much of this law come from court decisions rather than statutes? Because technology almost always outpaces legislation. When a new machine arrives, there is rarely a statute squarely on point, so judges must decide how existing law applies—and those decisions (whether object code is copyrightable, whether code is speech, what "authorization" means) often govern for years before, or instead of, Congress acting. That is why a history of computer law is, to a large degree, a history of landmark cases.

This article provides general information and is not legal advice. The law described here is complex, varies by jurisdiction, and is changing quickly; for advice about a specific situation, consult qualified counsel.